Data breach fatigue is setting in and it's only February. Kickstarter is the latest high-profile site to be hacked.

Law enforcement authorities informed Kickstarter of the breach on Feb. 12, and Kickstarter immediately closed the vulnerability that allowed the attackers through, Yancey Strickler, Kickstarter's CEO, wrote on a blog post and in an email sent to users. The company "thoroughly investigated the situation" over the past four days before notifying users, and the team has already begun "strengthening security measures" throughout its infrastructure, Strickler said.

"We're incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting," Strickler said.

There is no excuse for anyone to be still using weak passwords or reusing credentials across multiple sites. As Security Watch has said time and time again, (whether we are talking about LinkedIn, Twitter, Adobe, Evernote, or Dropbox, to name a few), we need to use strong passwords, make sure passwords are unique so that a breach at one site doesn't affect multiple accounts, and use stronger authentication methods such as turning on two-factor authentication or using a password manager. With Kickstarter joining the list, the same advice still applies.

What Was StolenFor Kickstarter users, there's some good news and bad news. The good news is that no credit card data was accessed. That's most likely because Kickstarter never has your credit card data to begin with, since all payment transactions are processed and stored by Amazon Payments, not by Kickstarter. While Kickstarter does store the last four digits and expiration dates for credit cards used to fund projects outside of the United States, this information was not breached, the company said.

The bad news is that attackers did get into the database containing usernames, email addresses, mailing addresses, phone numbers, and passwords. So far it appears two accounts may have been used fraudulently. Kickstarter has already re-secured those accounts and notified the users.

Password SecurityThe passwords were encrypted, which means that it would take attackers some time and quite a bit of computing resources to crack them. It appears some of the passwords were salted and hashed using SHA1 algorithm, while the others used the much stronger bcrypt encryption. Regardless, no encryption is completely fail-proff and considering how easy it is to spin up powerful machines on Amazon Elastic Compute Cloud (EC2) or other cloud platforms, it's safe to assume your password will eventually be cracked. You should absolutely change your password right away.

A piece of good news for Kickstarter users who use their Facebook accounts to log in: their Facebook credentials remain secure since that information is stored on Facebook servers. Kickstarter has revoked all the tokens which allow Facebook logins, so the next time you try to log in, you will be prompted to manually link the accounts again.

What Next?"We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again," Strickley said. While it's good Kickstarter is doing everything it can, users should also be doing everything possible to minimize the damage in case of another breach.

With all these breaches, it is increasingly clear that users need to become more security savvy. Do not reuse passwords across sites, even if you consider them to be less important or figure there is no sensitive information to protect. Passwords need to be long (more than eight characters if you can manage it) and complex with a mix of numbers, punctuation marks, and mixed case letters. Finally, consider turning on two-factor authentication if the site offers the feature, and look into using a password manager.

"We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come," Strickley said.

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.